Overview
Verification of client Identity (“VOI”) is increasingly important because:
- solicitors are now the gatekeepers to digital systems rather than just lodgement agents. Checks which used to be done when critical documents were signed or registered must now be done at the outset of the retainer;
- acting for clients in routine matters without ever meeting them is now commonplace, not an exception. Clients expect to be able to conduct business online; and
- stringent anti-money laundering / terrorism financing programs within banks mean criminals will look to exploit weaknesses in other parts of the transaction chain.
Cost and client convenience must be factored against fraud risk, and it is not always easy to find a reasonable balance. This does not necessarily mean that client ID must be obtained every time you open a file. What is reasonable depends upon the circumstances, the nature of the matter, the client and how well you know them. However, every matter should trigger risk assessment and staff should have clear guidance as to what is required in particular transactions.
That process should ensure:
- a client is who they say they are;
- the client has authority to do what they instruct you to do on their behalf; and
- that an evidence trail is preserved.
Even in areas in which there is no express obligation to verify client identity, our fundamental duties of competence, honesty and fidelity to the law[1] require us to take reasonable care that we are not assisting in fraud or falsely claiming authority to represent a party.
“Safe Harbour” vs “reasonable steps”?
In electronic conveyancing transactions, ARNECC[2] requires subscribers to take “reasonable steps” [3] to ensure the firm’s Client Authorisation is signed by a person entitled to do so. In paper-based conveyancing the Land Title Practice Manual requires the same of any witness to titles documents.[4]
In both cases, a specific process is set out (the Verification of Identity Standard[5]) which will be deemed to constitute reasonable steps. If that process is followed “Safe Harbour” is achieved.
If the firm chooses another method to verify client identity, the onus will be on the firm to show that the method adopted was reasonable in the circumstances.
For details see ARNECC’s Guidance Note 2: Verification of Identity.[6] See also the QLS E-Conveyancing Guidelines[7] (e-conveyancing) and Titles Queensland’s VOI Standard [61-2700][8] (paper conveyancing).
Is the Safe Harbour process mandatory in conveyancing or other transactions?
No. The Model Participation Rules expressly preserve a firm’s discretion to adopt any reasonable process, but of course the further a practice deviates from the Safe Harbour method the greater the risk will be. That risk will vary depending upon the alternate method adopted and the circumstances of the transaction.
Safe Harbour as a concept is (strictly speaking) only relevant to property matters, as it is a process specified by ARNECC and the Titles Office. Following this process in other types of legal work does not confer the same degree of automatic protection. Having said this, it would be hard to criticise a firm which has used the VOI Standard.
What do QLS and Lexon recommend?
As the name suggests, “Safe Harbour” is safer for your firm in higher risk transactions. Safe Harbour may be less convenient for your clients (or more expensive, if using an in-person verification agent), but avoiding that inconvenience / cost will always transfer some additional risk to the practice.
Ultimately, however, this is a decision for the firm and none of the applicable regimes take that decision out of your hands. QLS recommends that each firm adopts a considered policy to determine when (if ever) it will accept a reasonable steps vs Safe Harbour VOI, for what types of matters, and what you consider to be an appropriate alternative.
If Safe Harbour is not being used, a more nuanced process is required. The relevant team will need to know what additional risk factors and warning indicia (“red flags”) to look for. Junior staff need to be able to seek guidance easily in response to red flags and dealing with clients who are pushing back on your VOI requirements.
Please remember: VOI of any sort, Safe Harbour or not, only addresses one part of the risk equation. Just because “Ms X” is who they say they are does not assure you that Ms X can sell a particular property or instruct on behalf of a particular company.
Lexon is continuing to monitor claims arising from identity fraud. Lexon has VOI checklists built into many of their client risk packs. The Lexon VOI approach mirrors ARNECC’s: reasonable steps are required, with a strong preference for Safe Harbour as the default standard. Importantly, the Conveyancing Protocol includes a VOI Checklist.
Can the VOI process be outsourced?
Yes. A firm may outsource some or all the VOI process to a third party individual or organisation. There are several commercial agencies who perform such services.
To achieve Safe Harbour the agent must meet certain criteria[9] and follow the usual process in the Verification of Identity Standard. There is no approved list of Identity Agents, and it is up to the firm to satisfy itself that agent meets the criteria.[10]
Again, while the specified criteria for Identity Agents only apply to electronic conveyancing, it would be difficult to criticise a firm that applied the same standard across the board.
Do Identity Agents always follow the Safe Harbour process?
Not necessarily. You will need to specify what kind of VOI you require. There are three common approaches:
- In person VOI: The Agent checks the client ID during a face to face meeting. This is capable of satisfying the Safe Harbour standard but will obviously be more expensive. In some permutations the client is visited by the agent, in others they attend a pharmacy, post office or other network location.
- Online VOI: The client holds up the ID during a video interview (which may be with a human or completely automated), the face in the video is compared with the ID, the ID is then checked on the Home Affairs database. This may or may not amount to reasonable steps based on the circumstances of the transaction.
- Document Verification Service: This is similar to the prior example except there is no video check of the client holding the ID. Only a scan of the ID itself is presented and the system checks that it is valid according to the database. This is an excellent adjunct to an in-person check (and can also avoid the risk of storing numerous ID documents on your network). It does not, however, establish that the owner of the ID is the person presenting it and is therefore a VOI tool rather than VOI solution.
Some Agents offer all three types of service.
It is important to understand exactly what the Agent will be checking, noting that their enquiry will usually only cover the identity of the person, not that that person has authority to deal with a particular asset. Subsequent enquiries such as title and company searches, or sighting company resolutions may be required.
If your legal practice selects the ID Agent / Document Verification Service (DVS) for the client, and that ID Agent / DVS stores the ID copies in their own secure environment, your firm should disclose this in your privacy policy and terms of engagement to the client.
Will a technology platform which does not require the client to meet with an Identity Agent in-person achieve Safe Harbour or reasonable steps?
Safe Harbour – No. QLS is aware that some online providers suggest that the client can select a person known to them who acts as an Identity Agent for that single transaction, operating under the provider’s insurance. It is hard to see that anyone can form a reasonable belief as to the character of the person sighting the documents under such circumstances. A fraudster will obviously either concoct a fictitious agent or trick some random person into signing the form.
Reasonable steps – it could be so, but – by definition – there can be no guarantee. There is (as at August 2022) no judicial guidance on what does or does not constitute reasonable steps or what factors will be taken into account. What might be appropriate in one matter type or transaction may not be appropriate in another.
Identity Agent vs Document Verification Service – what is the difference?
An Identity Agent is an organisation with defined characteristics which supplies verification services in accordance with the ARNECC verification of identity standard. A Document Verification Service is a system to check that documents are validly issued, and perhaps that the photo matches the photo stored in the database.
We ask clients to send copies of their ID or perhaps a spouse may bring in ID for their partner. Is this an appropriate VOI process?
This is a high risk option that does not constitute Safe Harbour and may not even be justifiable as reasonable steps in many circumstances. A scanned copy of ID documents can be from anywhere and can easily be digitally altered. Just because the copy is purportedly “certified” the electronic nature of the image makes them questionable unless you establish contact with the person who certified them.
Remember also the objective is not to simply obtain / sight copies of ID documents but to ensure that everyone you think you act for is (1) who they say they are and (2) has authority to instruct you.
Many frauds are committed by spouses and family members, so the fact that someone has access to identification documents does not necessarily mean they act with the knowledge of the owner of those documents. Changes in company directorships, trustees and asset structures may mean a client thinks they have authority to instruct but do not.
For the reasons stated above, any ID received via email should be removed to more secure storage and all copies in the email system removed (including any web server).
Does a video meeting count as “face to face and in person” as required to achieve Safe Harbour?
While there is no definitive authority on this point QLS considers that a video meeting does not create a Safe Harbour. It may well comprise reasonable steps in many circumstances. It is also preferable to a process which consists solely of obtaining copies by post or email.
Does VOI only apply to conveyancing?
No. Every firm should consider identity fraud risk each time:
- a new client engages the firm;
- an existing client returns with a new matter; [11]
- a client asks you to transfer money held in trust,[12] release a safe custody packet or supply confidential information.
Without limiting the scope; consider the difficulties that might ensue if your firm supplies a fraudster with a tainted Enduring Power of Attorney, Will or Deed appointing a Trustee, acts for a fraudulent borrower or recovers a debt that was not owing to the person you were instructed by.
You have no real way of knowing who is on the other end of an email or text conversation, so just because you have acted for someone before, instructions exclusively by electronic means should be verified in most cases.
You must check each part of the authorisation, (e.g.: directorships, resolutions, trust documents). A solicitor who warrants that they represent an entity may be personally liable if this is not the case.
Again, QLS recommends that your firm adopts a policy to assess in what types of matters client ID should be obtained, what types of documents will be accepted and what process to verify them should be followed.
In the case of safe custody documents, uplift requirements should be specified in the agreement or the covering letter when you accept documents by deposit. Once established as a contractual standard such processes should then be followed. Every time you correspond with another party stating that your firm “acts for Mr. X” or “XYZ Pty Ltd”, you warrant that this is so. If that third party relies upon that representation you may be liable if you have mistakenly misled them.
Red Flags
What factors should trigger a more rigorous investigation of identity? Without limitation, your policy should consider:
- a client that can never be contacted in real time by phone;
- new clients;
- a spouse / family member that is the sole point of contact, especially if they resist direct communication with the absentee client;
- absence of formal identification documents or expired documents;
- name changes and disparities in middle names, dates of birth;
- higher risk transactions such as asset sales and mortgages;
- clients who are not in the jurisdiction.
Does the ARNECC / Titles Office reasonable steps / Safe Harbour process apply to other types of matters?
No. Strictly, the ARNECC / Titles process has no relevance to anything other than conveyancing and only provides Safe Harbour in that context. However, Safe Harbour is regarded as the gold standard, and it would be hard criticising a firm which followed it unless there were other mandatory require
[1] Queensland Law Society, Australian Solicitors Conduct Rules 2012 (at 1 June 2012) rr 3-6.
[2] Australian Registrars National Electronic Conveyancing Council (‘ARNECC’).
[3] Australian Registrars National Electronic Conveyancing Council, Model Participation Rules (7th ed) (at 9 August 2021) clause 6.3(d) & (e), Schedule 8; see also Australian Registrars National Electronic Conveyancing Council, Model Participation Rules Guidance Note 2 (at April 2021).
[4] Titles Queensland, Land Title Practice Manual (Queensland) (at 1 April 2022) 61-2310.
[5] Broadly: insisting all clients attend the firm or a designated Identity Agent in person and supply specified original ID documents which are checked, and photos compared to the person presenting them.
[6] The Verification of Identity Standard (ie, what amounts to Safe Harbour) is contained in Schedule 8 of the Model Participation Rules. See Australian Registrars National Electronic Conveyancing Council, Model Participation Rules (7th ed) (at 9 August 2021).
[7] Queensland Law Society, E-conveyancing Guidelines (at April 2020), see paragraph 2.5.5 et seq. The Guide refers exclusively to PEXA Subscribers (as only PEXA was in operation when it was written), however, the same principles apply to other ELNO platforms.
[8]Land Title Practice Manual [n4]
[9] In summary, the agent must hold appropriate insurance and the firm appointing them must “reasonably believe” that they are reputable and competent. An agent that meets the conditions is defined as an “Identity Agent” in the Model Rules. See Australian Registrars National Electronic Conveyancing Council, Model Participation Rules (7th ed) (at 9 August 2021)
cl.2.1.2: definitions.
[10] Legal Practitioners, registered Conveyancers and licensed Mortgage Brokers can act as Identity Agents and are deemed to hold required insurance.
[11] Remember that some VOI standards require verification to be repeated at fixed intervals. For example, in electronic conveyancing identity documents must be sighted every two years. In the case of clients within the 2 year interval consider the risk of impersonation when taking electronic instructions, or that one member of a group or family is acting without the authority of other members. The objective is to actively consider the issue, not adopt a tick-box approach.
[12] Substantial funds transfers must be subject to “Read Out – Read Back” process as per the Lexon conveyancing protocol. Also ensure that instructions from all parties to a joint retainer are obtained.